You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Giampaolo Tomassoni <gi...@tomassoni.biz> on 2011/04/01 00:15:48 UTC
Re: ups.com virus has now switched to dhl.com
From: "Michael Scheidell" <mi...@secnap.com>
>
> using amavisd-new, we can set up policies, per user, and per domain if
> needed to match the end users needs.
Via Amavis one can even "ban" executable attachments. With few work, one can
develop a system which notifies users that such a message had been received
and blocked, along with a link to an unlock web page. There users could see
the message source, subject, attachment name, block reason and few other
data and, if they like, they can "unblock" the message to get it. Besides,
the unlock page may run an AV check on the message when opened, to increse
the chance to "catch" a virus which wasn't known as such when received.
Giampaolo
>
>
> --
> Michael Scheidell, CTO
> o: 561-999-5000
> d: 561-948-2259
> ISN: 1259*1300
> >*| *SECNAP Network Security Corporation
>
> * Best Intrusion Prevention Product, Networks Product Guide
> * Certified SNORT Integrator
> * Hot Company Award, World Executive Alliance
> * Best in Email Security, 2010 Network Products Guide
> * King of Spam Filters, SC Magazine
>
> ______________________________________________________________________
> This email has been scanned and certified safe by SpammerTrap(r). For
> Information please see http://www.secnap.com/products/spammertrap/
> ______________________________________________________________________
Re: ups.com virus has now switched to dhl.com
Posted by Michael Scheidell <mi...@secnap.com>.
On 3/31/11 6:15 PM, Giampaolo Tomassoni wrote:
> Via Amavis one can even "ban" executable attachments. With few work,
> one can develop a system which notifies users that such a message had
> been received and blocked, along with a link to an unlock web page.
> There users could see the message source, subject, attachment name,
> block reason and few other data and, if they like, they can "unblock"
> the message to get it. Besides, the unlock page may run an AV check on
> the message when opened, to increse the chance to "catch" a virus
> which wasn't known as such when received.
yep, we do that. and with clamav, you can take a sha256 or md5
signature (using clamav's sigtool), make a local.hdb file and put into
../db/clamav, reload sigs, and you don't have to wait for clamav (which
has been taking 48 hours or so to get sigs for these that change every
12 hours... :-)
so, yes, we have rules that allow zips (which clients demand), but we
look for dhl/ups and any attachments like zip,rar,exe, and have them
rate 'spam' and are quarantined. then I can open quarantine, get the
zip, make a clamv sig.. so later, if user try's to release it, we run
clamav one more time, and they see its a virus.
we are seeing about one of these per email address per day.
so, a 10,000 user system is seeing 10,000 of these a day now.
and they change at about 23:00 GMT.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________